# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca # certutil -L -d /etc/httpd/alias -n ipaCert -aĪgain you'll need to drop the header/footer and combine this into a single line. Next you need the base64-encoded value of the cert like before:
#BOSON X FREE IPA SERIAL#
# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial Start by looking at the new value for ipaCert. You'll need to use ldapmodify to fix things up. This certificate is used to authenticate with the CA. It should come up fine:įor ipaCert, stored in /etc/httpd/alias you have another job to do. Now you can try to restart the CA to see what happens. You will need to combine them into a single line.īacking up this file in advance would be a good idea. The PEM exported by certutil is going to be broken into several 64-character lines. 'Server-Cert cert-pki-ca': 'ca.sslserver.cert' 'subsystemCert cert-pki-ca': 'ca.subsystem.cert' 'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert' 'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert' The option names are like ca.audit_signing.cert, ca.ocsp_signing.cert, etc. Then edit /etc/pki-ca/CS.cfg and find the cert entry for each one and replace the blobs. # for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"Ĭertutil -L -d /var/lib/pki-ca/alias -n "$" done To find out when the certificates were still valid, run: In order for this to work you are going to need to go back in time to when the certificates are all still valid. You only need to do this on those masters with a CA (so it won't hurt if you upgrade it in other places too but it won't help with this problem either).
This provides the dogtag-ipa-renew-agent CA that can directly renew the dogtag CA subsystem certificates.
#BOSON X FREE IPA UPDATE#
The first thing you need to do is update certmonger to at least 0.58-1: Be sure you understand all the steps before proceeding.
Post-save command: /usr/lib64/ipa/certmonger/restart_httpd Issuer: CN=Certificate Authority,O=EXAMPLE.COM Key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'Ĭertificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' Peer certificate cannot be authenticated with known CA certificates). You probably have several certificates tracked by certmonger in a CA_UNREACHABLE state, like:Ĭa-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. If you can't upgrade, here are some manual steps that should get you moving forward. Automated certificate renewal of the CA subsystem certificates was added in IPA 3.0.
0 kommentar(er)
